jigsaw | 25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe
Size

141KB
MD5

5ae42f93bb14b553f52bd15845b0992b
SHA1

f390fab5e976495686e13bac55fb7c6600cb04f9
SHA256

25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964
SHA512

d3b9494e1d5ee9c20ca019d5e65f1fa83f3b3ee875001c3a5abf36503af4b94fc2bd8e75fae430b7c0b94d74f7e23ae3af228ee8602e7ee685d9e7ddb1ec3858
SSDEEP

3072:wOXwqohogPKl0eIR8ex4z+nbZGfXIPqPy+YU2Xt+1:zngPKlP2844z+nbZGfXIC6+E9+

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (2027) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

Processes:

Firefx32.exe

pid	Process
2808	Firefx32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrobt32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adb\\Acrobt32.exe"	25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe

Drops file in Program Files directory 64 IoCs

Processes:

Firefx32.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	Firefx32.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.sux	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.sux	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	Firefx32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	Firefx32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.sux	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.sux	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx	Firefx32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	Firefx32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx	Firefx32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png	Firefx32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	Firefx32.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip.sux	Firefx32.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.sux	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.sux	Firefx32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif.sux	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar	Firefx32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif	Firefx32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	Firefx32.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx.sux	Firefx32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	Firefx32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.sux	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	Firefx32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	Firefx32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	Firefx32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	Firefx32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe

description	pid	Process	procid_target
PID 2872 wrote to memory of 2808	2872	25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe	30
PID 2872 wrote to memory of 2808	2872	25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe	30
PID 2872 wrote to memory of 2808	2872	25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe	30

C:\Users\Admin\AppData\Local\Temp\25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe
"C:\Users\Admin\AppData\Local\Temp\25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Firefx\Firefx32.exe
  "C:\Users\Admin\AppData\Local\Firefx\Firefx32.exe" C:\Users\Admin\AppData\Local\Temp\25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.sux

Filesize
160B

MD5
5b326b71d8037583d8e5089f1545d147

SHA1
9094b79da0269550935b5a440edd7229ce62a511

SHA256
ae12f342841b3e33dc82dd2da45c33809e454d7495386bda05a19549487588a6

SHA512
c1423eb5e81ed881175f88f3fef0b960561ffda2fa496d1abf21bec67e438ba305ffc83a802497b9ba08db2eb5a76e20fb3aa17732b61e9a3bfddcd3b145ce1b

Download Submit
C:\Users\Admin\AppData\Local\Firefx\Firefx32.exe

Filesize
141KB

MD5
5ae42f93bb14b553f52bd15845b0992b

SHA1
f390fab5e976495686e13bac55fb7c6600cb04f9

SHA256
25c6eb273edceebb6b4d3f6d382a3890ab1b5575b0605e95e8c02375a5c83964

SHA512
d3b9494e1d5ee9c20ca019d5e65f1fa83f3b3ee875001c3a5abf36503af4b94fc2bd8e75fae430b7c0b94d74f7e23ae3af228ee8602e7ee685d9e7ddb1ec3858

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.sux

Filesize
16B

MD5
e5e33914546cba9e511ec3b2931d9bda

SHA1
e8294b9f6e00a0161fdbef75446c126fd03cb524

SHA256
0a329d31831bc64ddee858d5afd46235a5ea7a34d13b7a9c11c5b1ca1cbd25ac

SHA512
f54bd3b3fa873318cfb132cc96328ff25bf9cc57097393ced2c775797ecd3eb22c20b215edcd39737f43e0cc5a1e102d8fe17b5feb156b92fd0a48519b1fc580

Download Submit
C:\Users\Admin\Documents\SelectTrace.xlsx.sux

Filesize
10KB

MD5
abe842a09444539fec48e30a063e1ef3

SHA1
043764df3085a69cf74a9a6a2da75904e7cb6a34

SHA256
8aca605e729c1523fa15c2163a275615d12cea6670bc873d04f9d810f4bba3d1

SHA512
69c8275895981f0cfd258cc4d58dc0f68e4f5b3660e4d3dc06f82e3924f016233fdb948db4fbe7a622abe002e915b3bedc9fbc52f3abc6f570e34366b21df9ff

Download Submit
memory/2808-10-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-11-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-512-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-515-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-1129-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-2050-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-2053-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2872-9-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2872-12-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2872-0-0x000007FEF68FE000-0x000007FEF68FF000-memory.dmp

Filesize
4KB

Download
memory/2872-5-0x000007FEF6640000-0x000007FEF6FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2872-1-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download